I have a simple little network with 3 AD servers in 2 sites. Site A has Win2k3 SP2 and Win2k SP4 servers, site B has a single Win2k3 SP2 server. All have been in place for at least 3 years now.

Just last week I started getting Event 2089 "not backed up" warnings (example below) on both of the win2k3 servers. I understand what the message means, no need to send me links to the technet article explaining it. I'll improve my backups.

What I'm more curious about is why did I just start getting this message now? Why haven't I been getting it for the past 3 years?!?

Perhaps this is related: I recently decommissioned a few other sites and AD controllers (there used to be 3 more sites, each with their own controller). Don't worry, I did proper DCpromo exercises and made sure we didn't lose anything. But would shutting those down possibly be related to why I get this error now?

This won't keep me awake at night but I am curious as to what changed...

Event Type: Warning
Event Source: NTDS Replication
Event Category: Backup
Event ID: 2089
Date: 3/28/2010
Time: 9:25:27 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: RedactedName
Description:
This directory partition has not been backed up since at least the following number of days.
Directory partition:
DC=MyDomain,DC=com
'Backup latency interval' (days):
30
It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition.
By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key.
'Backup latency interval' (days) registry key:
System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

2 Answers
2

I have to agree with Helvick. Maybe you (or someone else, someone before you) had one of them doing a System State backup and then you removed the server. Even if it dumped it to a local file on itself and overwrote the file once a month, Windows would still think it's been backed up and not show this message. The only criteria is that a System State backup be made at least once a month by default. Everything you say leads me to believe that's the case, but I am curious by what you mean by they were being backed up wrongly? You seem to say that you did have some backup mechanism in place, it just wasn't very good. That makes me think that a backup was being made. A poorly made backup is still a backup.

I'm also assuming you moved any FSMO roles that your old server may have had to new ones. Even if you didn't, I don't think it would cause this error to be reported.
–
sinpingApr 2 '10 at 16:04

Backed up wrongly: I was doing data backups, no system state backups. FSMO roles: The decommissioned server held none. And finally, I'm the one who built all this so I have nobody before me to blame :-) And to be clear, I'm not saying doing a System State backups is bad -- I'm just trying to understand how I've gotten away without for so long without warnings in the event log.
–
Chris_KApr 2 '10 at 16:23

Since this is based on a replicated AD attribute (the DSA Signature) this seems to indicate that you had a regular backup procedure that regularly backed up at least one of the now decommissioned servers within the 30 day default period but you no longer have a regular full system state backup on any of your remaining servers (or if you do it is failing for some reason). Now that you've removed those servers the attribute is not being reset regularly, hence the event is firing.

This Symantec error report outlines a possible cause that could apply to any backup utility, which is basically permissions related.

While it certainly seems like I must've had a regular system state backup in place, I have to confess that I didn't -- all the decom'd servers were backed up the same way as the remaining servers (in other words: wrongly). Unless some aspect of replication between the various servers was doing it for me...?
–
Chris_KMar 30 '10 at 14:53